6.0.0-alpha12
6/9/25

[#12926] invalid token when printing from frameset
Summary invalid token when printing from frameset
Queue Horde Groupware Webmail Edition
Queue Version 5.1.3
Type Bug
State Not A Bug
Priority 1. Low
Owners
Requester dav (at) geoazur (dot) unice (dot) fr
Created 01/20/2014 (4158 days ago)
Due
Updated 01/24/2014 (4154 days ago)
Assigned 01/22/2014 (4156 days ago)
Resolved 01/24/2014 (4154 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
01/24/2014 11:43:10 PM Michael Slusarz Comment #6
State ⇒ Not A Bug
Reply to this comment
The & is nothing more than an encoded version of an ampersand.   
This is something that is handled by Horde_Url internally.

If someone is adding a frameset layer to Horde, it is their 
responsibility to correctly encode URLs.
01/22/2014 08:43:57 PM dav (at) geoazur (dot) unice (dot) fr Comment #5 Reply to this comment
Yes the frameset is not from Horde, but I wondered if it is Horde that 
encode "&" in its own url, only when used inside a frameset. I 
thought that this little glitch could be detected and managed inside 
Horde (maybe we are not alone in using frames). But if you say that 
this bug is not coming from Horde, ok the problem is really the 
frameset so never mind. Thanks for your answers.
01/22/2014 07:53:45 PM Michael Slusarz Comment #4 Reply to this comment
frameset is "above" Horde. Technically : 
http://webmail.domain1/index.html is just
<frameset><frame src=https://server.domain2/horde/></frameset>
I think you can reproduce it easily.
Once again, this is not anything provided by Horde.  We removed all 
framesets long ago (Horde 4.0 to be exact).  We can't provide bug 
support/fixes for something that doesn't exist in our code.
01/22/2014 11:41:24 AM dav (at) geoazur (dot) unice (dot) fr Comment #3
New Attachment: frameset.patch Download
Reply to this comment
frameset is "above" Horde. Technically : 
http://webmail.domain1/index.html is just
<frameset><frame src=https://server.domain2/horde/></frameset>
I think you can reproduce it easily.

Then I don't understand why "&view_token=..." (not the other 
parameters) is changed to "&amp;view_token=..." in this case. Despite 
that, all is working well so maybe it's a small glitch.

For now I solve it by adding a check of "amp;view_token" to checkToken 
function in imp/lib/Contents/View.php but I guess it's not a clean 
solution.
01/22/2014 05:47:15 AM Michael Slusarz Comment #2
Priority ⇒ 1. Low
State ⇒ Feedback
Reply to this comment
We don't use framesets in Horde (?)  Not sure what you are referring to.
01/20/2014 05:08:06 PM dav (at) geoazur (dot) unice (dot) fr Comment #1
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ invalid token when printing from frameset
Queue ⇒ Horde Groupware Webmail Edition
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
Reply to this comment
We use Horde inside a frameset (Gandi domain with "masked" forwarding 
mode) : login is Ok after setting "use_only_cookies" to false, but 
view, print, etc. actions for mail/imp, open a new window with "fatal 
error - invalid token".

However when using Horde with direct url, theses actions open correct windows.

Actually, when logging from frameset http://webmail.domain1/ then 
trying to print a mail, url of the new window is
https://server.domain2/horde/imp/view.php?Horde=hhh&amp%3Bview_token=ttt-ttt&actionID=print_attach&buid=bbb&id=1&mailbox=mmm&token=ttt-ttt&uniq=uuu

whereas when logging from http://server/horde/ then printing, url is
https://server.domain2/horde/imp/view.php?view_token=ttt-ttt&actionID=print_attach&buid=bbb&id=1&mailbox=mmm&token=ttt-ttt&uniq=uuu

If I edit url with "invalid token" and just replace 
"&amp%3Bview_token" with "&view_token" then reload, it works : the 
window shows the expected result.

Any idea from where "&" was encoded to "&amp;" when using frame ?

Saved Queries